[crypto] Check for all-zeros result from X25519 key exchange

RFC7748 states that it is entirely optional for X25519 Diffie-Hellman implementations to check whether or not the result is the all-zero value (indicating that an attacker sent a malicious public key with a small order). RFC8422 states that implementations in TLS must abort the handshake if the all-zero value is obtained. Return an error if the all-zero value is obtained, so that the TLS code will not require knowledge specific to the X25519 curve. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-04-04 03:00:20 +03:00 · 2024-01-30 13:14:21 +00:00
parent de8a0821c7
commit 27398f1360
4 changed files with 47 additions and 12 deletions
--- a/src/crypto/x25519.c
+++ b/src/crypto/x25519.c
@@ -59,6 +59,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <stdint.h>
 #include <string.h>
 #include <assert.h>
+#include <errno.h>
 #include <ipxe/init.h>
 #include <ipxe/x25519.h>

@@ -781,10 +782,11 @@ static void x25519_reverse ( struct x25519_value *value ) {
 * @v base		Base point
 * @v scalar		Scalar multiple
 * @v result		Point to hold result (may overlap base point)
+ * @ret rc		Return status code
 */
-void x25519_key ( const struct x25519_value *base,
-		  const struct x25519_value *scalar,
-		  struct x25519_value *result ) {
+int x25519_key ( const struct x25519_value *base,
+		 const struct x25519_value *scalar,
+		 struct x25519_value *result ) {
 	struct x25519_value *tmp = result;
 	union x25519_quad257 point;

@@ -805,4 +807,7 @@ void x25519_key ( const struct x25519_value *base,
 	/* Reverse result */
 	bigint_done ( &point.value, result->raw, sizeof ( result->raw ) );
 	x25519_reverse ( result );
+
+	/* Fail if result was all zeros (as required by RFC8422) */
+	return ( bigint_is_zero ( &point.value ) ? -EPERM : 0 );
 }